加密
1.新建虚拟机并安装docker环境
操作步骤参考docker(一)
2. 安装非安全的仓库
[root@server2 docker]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json ##编辑文件
[root@server2 docker]# cat daemon.json
{
"insecure-registries" : ["172.25.13.1:5000"]
}
[root@server2 docker]# systemctl reload docker.service
[root@server2 docker]# docker pull 172.25.13.1:5000/webserver ##拉取webserver镜像
3. 搭建证书认证的私有仓库
[root@server1 ~]# docker stop registry
[root@server1 ~]# docker rm registry ##如果存在就删除
[root@server1 ~]# ll /opt/registry/ ##刚才建立的数据目录还在
total 0
drwxr-xr-x 3 root root 22 Jan 24 18:04 docker
3.1 创建证书
[root@server1 ~]# mkdir certs ##
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt ##我输出的证书文件和key在/root/certs
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org
[root@server1 ~]# cat /etc/hosts | grep reg.westos.org ##需要做解析
172.25.13.1 server1 reg.westos.org
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
3.2 只有证书的仓库使用
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server1 ~]# docker tag game2048:latest reg.westos.org/game2048:latest
[root@server1 ~]# docker push reg.westos.org/game2048:latest
The push refers to repository [reg.westos.org/game2048]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority ##证书未知问题
上传出现问题,证书没有认证
[root@server1 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p ##/etc/docker是唯一一个docker可以自动检测的目录
[root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# ll /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# docker push reg.westos.org/game2048:latest
##push成功
server2pullserver1文件(server1将证书发送到server2)
[root@server1 ~]# cd /etc/docker/certs.d/reg.westos.org/
[root@server1 reg.westos.org]# ls
ca.crt
[root@server1 reg.westos.org]# scp ca.crt server2:/etc/docker/certs.d/reg.westos.org/
##注意:每一个的都需要解析
3.3 建立用户认证
3.3.1 建立用户认证以及出现的问题(直接上传没有用户认证)
[root@server1 ~]# mkdir auth
[root@server1 ~]# yum install -y httpd-tools ##带有htpasswd功能
[root@server1 ~]# htpasswd -B -c auth/htpasswd zhy ##参数含义通过--help查看
[root@server1 ~]# htpasswd -B auth/htpasswd zhy1
[root@server1 ~]# cat auth/htpasswd ##查看建立的用户
zhy:$2y$05$mR0xWaRSoYDDiDrTlJrKG.RaE1n896r8upwedFNB1AT8smAwHAdZG
zhy1:$2y$05$MJClRV2oDeyr6qgFgpike.NZLnufyBYF.62Q/PggRaK9FgIPELia6
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
删除原来镜像重新生成
3.3.2解决用户认证问题
reg.westos.org是自己建立的私有仓库
[root@server1 ~]# docker login reg.westos.org ##登陆一次就可以了
Username: zhy
Password:
[root@server1 ~]# cat /root/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "emh5MTIzNDU2d2w6emh5OTcwMTEw"
},
"reg.westos.org": {
"auth": "emh5Ondlc3Rvcw=="
}
}
}
[root@server1 ~]# docker push reg.westos.org/nginx:latest ##server1上传成功
##server2的拉取
[root@server2 ~]# docker login reg.westos.org ##同样使用认证的用户进行登陆
[root@server2 ~]# docker pull reg.westos.org/nginx ##拉取成功
server1上传成功
server2的拉取